{"id":18118036,"url":"https://github.com/imor/pg_escape","last_synced_at":"2025-08-21T06:31:34.927Z","repository":{"id":260522505,"uuid":"881550305","full_name":"imor/pg_escape","owner":"imor","description":"A Rust library to escape Postgres flavoured SQL","archived":false,"fork":false,"pushed_at":"2024-11-01T09:00:30.000Z","size":19,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-16T03:20:04.588Z","etag":null,"topics":["postgres","postgresql","sql","sqlinject-defense"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-31T19:42:57.000Z","updated_at":"2024-11-11T18:18:43.000Z","dependencies_parsed_at":"2024-10-31T20:32:24.116Z","dependency_job_id":null,"html_url":"https://github.com/imor/pg_escape","commit_stats":null,"previous_names":["imor/pg_escape"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imor%2Fpg_escape","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imor%2Fpg_escape/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imor%2Fpg_escape/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imor%2Fpg_escape/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imor","download_url":"https://codeload.github.com/imor/pg_escape/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230083774,"owners_count":18170227,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["postgres","postgresql","sql","sqlinject-defense"],"created_at":"2024-11-01T05:08:06.177Z","updated_at":"2024-12-19T20:10:42.784Z","avatar_url":"https://github.com/imor.png","language":"Rust","readme":"# pg_escape\n\n`pg_escape` is a Rust library to escape Postgres flavoured SQL.\n\nTo avoid SQL injection attacks it is necessary to properly escape user input. This library provides functions for that.\n\n## quote_identifier\n\nUse `quote_identifier` to properly quote an identifier. An identifier names a database object. E.g. names of tables, columns, view etc. are identifiers. Inability to quote user supplied identifiers leads to SQL injection attacks. For example, if your system accepts a table name from a user and runs a `select * from \u003ctable_name\u003e` query, it is vulnerable to SQL injection attacks if constructed like this:\n\n```rust\nlet table_name = \"users\";//supplied by user\nlet query = format!(\"select * from {table_name}\");\n```\n\nInstead, do this:\n\n```rust\nuse pg_escape::quote_identifier;\n\nlet table_name = \"users\";//supplied by user\nlet quoted_table_name = quote_identifier(table_name);\nlet query = format!(\"select * from {quoted_table_name}\");\n```\n\n## quote_literal\n\nUse `quote_literal` to properly quote a literal. A literal is a value which is written literally in a SQL expression. Similar to `quote_identifier`, ensure that user supplied literals are quoted. For example, don't do this:\n\n```rust\nlet user = \"john\";//supplied by user\nlet query = format!(\"select * from users where username = {user}\");\n```\n\nDo this instead:\n\n```rust\nuse pg_escape::quote_literal;\n\nlet user = \"john\";//supplied by user\nlet quoted_user = quote_literal(user);\nlet query = format!(\"select * from users where username = {quoted_user}\");\n```\n\n## When not to use `pg_escape`\n\nMany Postgres client libraries and clients provide an option to run prepared statements (aka parameterized queries). Use them if available. `pg_escape` is useful for those constrained environments where prepared statements are not available. One example of such an environment is if you are connected to Postgres over a replication connection. A replication connection only supports a [simple query protocol](https://www.postgresql.org/docs/current/protocol-flow.html#PROTOCOL-FLOW-SIMPLE-QUERY) as mentioned in the Postgres [streaming replication protocol document](https://www.postgresql.org/docs/current/protocol-replication.html).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimor%2Fpg_escape","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimor%2Fpg_escape","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimor%2Fpg_escape/lists"}